Fluid Attacks Database

Description

A denial of service flaw has been discovered in Next.js. A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior. In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	dotnet7.0	-	-
npm	next	>=16.0.1 <16.1.7	16.1.7

Aliases

1. CVE-2026-279792. NVD-2026-279793. OSV-2026-279794. GHSA-h27x-g6w4-24gq5. GCVE-2026-27979

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-h27x-g6w4-24gq2. https://github.com/vercel/next.js/commit/c885d4825f800dd1e49ead37274dcd08cdd6f3f13. https://github.com/vercel/next.js/releases/tag/v16.1.7

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.